From 31c2e6c08eccf77ec24126b9c77a910a4e543293 Mon Sep 17 00:00:00 2001 From: Daniel Niknam Date: Sun, 22 Aug 2021 01:33:21 +1000 Subject: [PATCH] [rubygems/rubygems] Using `Gem::PrintableUri` in `Gem::Commands::InstallCommand` class The `x.source.uri` could be a source URI with a credential. Using `Gem::PrintableUri` to make sure we are redacting sensitive information from it. https://github.com/rubygems/rubygems/commit/8755ee0aaa --- lib/rubygems/commands/install_command.rb | 4 ++- .../test_gem_commands_install_command.rb | 25 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/lib/rubygems/commands/install_command.rb b/lib/rubygems/commands/install_command.rb index 92430ea444..ee50cba472 100644 --- a/lib/rubygems/commands/install_command.rb +++ b/lib/rubygems/commands/install_command.rb @@ -5,6 +5,7 @@ require_relative '../dependency_installer' require_relative '../local_remote_options' require_relative '../validator' require_relative '../version_option' +require_relative '../printable_uri' ## # Gem installer command line tool @@ -260,7 +261,8 @@ You can use `i` command instead of `install`. errors.each do |x| return unless Gem::SourceFetchProblem === x - msg = "Unable to pull data from '#{x.source.uri}': #{x.error.message}" + printable_uri = Gem::PrintableUri.parse_uri(x.source.uri.clone) + msg = "Unable to pull data from '#{printable_uri}': #{x.error.message}" alert_warning msg end diff --git a/test/rubygems/test_gem_commands_install_command.rb b/test/rubygems/test_gem_commands_install_command.rb index 48ac040d0e..535180983b 100644 --- a/test/rubygems/test_gem_commands_install_command.rb +++ b/test/rubygems/test_gem_commands_install_command.rb @@ -1067,6 +1067,31 @@ ERROR: Possible alternatives: non_existent_with_hint assert_equal x, e end + def test_redact_credentials_from_uri_on_warning + spec_fetcher do |fetcher| + fetcher.download 'a', 2 + end + + Gem.sources << "http://username:SECURE_TOKEN@nonexistent.example" + + @cmd.options[:args] = %w[a] + + use_ui @ui do + assert_raise Gem::MockGemUi::SystemExitException, @ui.error do + @cmd.execute + end + end + + assert_equal %w[a-2], @cmd.installed_specs.map {|spec| spec.full_name } + + assert_match "1 gem installed", @ui.output + + e = @ui.error + + x = "WARNING: Unable to pull data from 'http://username:REDACTED@nonexistent.example': no data for http://username:REDACTED@nonexistent.example/specs.4.8.gz (http://username:REDACTED@nonexistent.example/specs.4.8.gz)\n" + assert_equal x, e + end + def test_execute_uses_from_a_gemdeps spec_fetcher do |fetcher| fetcher.gem 'a', 2